Improve error pages on client certificate failures.

net/socket/ssl_client_socket_impl.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_SOCKET_SSL_CLIENT_SOCKET_IMPL_H_
 #define NET_SOCKET_SSL_CLIENT_SOCKET_IMPL_H_
 
 #include <openssl/base.h>
 #include <openssl/ssl.h>
 #include <stddef.h>
@@ skipping 19 matching lines @@
 #include "net/ssl/openssl_ssl_util.h"
 #include "net/ssl/scoped_openssl_types.h"
 #include "net/ssl/ssl_client_cert_type.h"
 #include "net/ssl/ssl_config_service.h"
 
 namespace base {
 class FilePath;
 class SequencedTaskRunner;
 }
 
+namespace crypto {
+class OpenSSLErrStackTracer;
+}
+
 namespace net {
 
 class CertVerifier;
 class CTVerifier;
 class SSLCertRequestInfo;
 class SSLInfo;
 
 using TokenBindingSignatureMap =
     base::MRUCache<std::pair<TokenBindingType, std::string>,
                    std::vector<uint8_t>>;
@@ skipping 191 matching lines @@
   // in a UMA histogram.
   void RecordNegotiatedProtocol() const;
 
   // Records histograms for channel id support during full handshakes - resumed
   // handshakes are ignored.
   void RecordChannelIDSupport() const;
 
   // Returns whether TLS channel ID is enabled.
   bool IsChannelIDEnabled() const;
 
+  // Returns the net error corresponding to the most recent OpenSSL
+  // error. ssl_error is the output of SSL_get_error.
+  int MapLastOpenSSLError(int ssl_error,
+                          const crypto::OpenSSLErrStackTracer& tracer,
+                          OpenSSLErrorInfo* info);
+
   bool transport_send_busy_;
   bool transport_recv_busy_;
 
   // Buffers which are shared by BoringSSL and SSLClientSocketImpl.
   // GrowableIOBuffer is used to keep ownership and setting offset.
   scoped_refptr<GrowableIOBuffer> send_buffer_;
   scoped_refptr<GrowableIOBuffer> recv_buffer_;
 
   CompletionCallback user_connect_callback_;
   CompletionCallback user_read_callback_;
@@ skipping 92 matching lines @@
   NextProto negotiated_protocol_;
   // Written by the |channel_id_service_|.
   std::unique_ptr<crypto::ECPrivateKey> channel_id_key_;
   // True if a channel ID was sent.
   bool channel_id_sent_;
   // If non-null, the newly-established to be inserted into the session cache
   // once certificate verification is done.
   ScopedSSL_SESSION pending_session_;
   // True if the initial handshake's certificate has been verified.
   bool certificate_verified_;
+  // Set to true if a CertificateRequest was received.
+  bool certificate_requested_;
   // The request handle for |channel_id_service_|.
   ChannelIDService::Request channel_id_request_;
 
   int signature_result_;
   std::vector<uint8_t> signature_;
 
   TransportSecurityState* transport_security_state_;
 
   CTPolicyEnforcer* const policy_enforcer_;
 
   // pinning_failure_log contains a message produced by
   // TransportSecurityState::CheckPublicKeyPins in the event of a
   // pinning failure. It is a (somewhat) human-readable string.
   std::string pinning_failure_log_;
 
   // True if PKP is bypassed due to a local trust anchor.
   bool pkp_bypassed_;
 
   NetLogWithSource net_log_;
   base::WeakPtrFactory<SSLClientSocketImpl> weak_factory_;
 };
 
 }  // namespace net
 
 #endif  // NET_SOCKET_SSL_CLIENT_SOCKET_IMPL_H_